From 2216bd1642da39e1d5cf82c67ccebfa674698731 Mon Sep 17 00:00:00 2001 From: Lukas Rusak Date: Tue, 7 Jun 2022 15:08:52 -0700 Subject: [PATCH] moby: add package --- .../addon-depends/docker/moby/package.mk | 53 ++++ ...moby-001-user-addon-storage-location.patch | 284 ++++++++++++++++++ ...nconfined-seccomp-profile-as-default.patch | 22 ++ 3 files changed, 359 insertions(+) create mode 100644 packages/addons/addon-depends/docker/moby/package.mk create mode 100644 packages/addons/addon-depends/docker/moby/patches/moby-001-user-addon-storage-location.patch create mode 100644 packages/addons/addon-depends/docker/moby/patches/moby-002-use-unconfined-seccomp-profile-as-default.patch diff --git a/packages/addons/addon-depends/docker/moby/package.mk b/packages/addons/addon-depends/docker/moby/package.mk new file mode 100644 index 0000000000..f8e108f0ea --- /dev/null +++ b/packages/addons/addon-depends/docker/moby/package.mk @@ -0,0 +1,53 @@ +# SPDX-License-Identifier: GPL-2.0 +# Copyright (C) 2022 Team LibreELEC (https://libreelec.tv) + +PKG_NAME="moby" +PKG_VERSION="22.06.0-beta.0" +PKG_SHA256="d0221f0b1c0eda2629ed8b7f08b4ec86e61cf38e0cf699f5bd01a2b662273b87" +PKG_LICENSE="ASL" +PKG_SITE="https://mobyproject.org/" +PKG_URL="https://github.com/moby/moby/archive/v${PKG_VERSION}.tar.gz" +PKG_DEPENDS_TARGET="toolchain go:host systemd" +PKG_LONGDESC="Moby is an open-source project created by Docker to enable and accelerate software containerization." +PKG_TOOLCHAIN="manual" + +# Git commit of the matching release https://github.com/moby/moby +export PKG_GIT_COMMIT="a89b84221c8560e7a3dee2a653353429e7628424" + +PKG_MOBY_BUILDTAGS="daemon \ + autogen \ + exclude_graphdriver_devicemapper \ + exclude_graphdriver_aufs \ + exclude_graphdriver_btrfs \ + journald" + +configure_target() { + go_configure + + export LDFLAGS="-w -linkmode external -extldflags -Wl,--unresolved-symbols=ignore-in-shared-libs -extld ${CC}" + + # used for docker version + export GITCOMMIT=${PKG_GIT_COMMIT} + export VERSION=${PKG_VERSION} + export BUILDTIME="$(date --utc)" + + cat > "${PKG_BUILD}/go.mod" << EOF +module github.com/docker/docker + +go 1.18 +EOF + + GO111MODULE=auto ${GOLANG} mod tidy -modfile 'vendor.mod' -compat 1.18 + GO111MODULE=auto ${GOLANG} mod vendor -modfile vendor.mod + + bash hack/make/.go-autogen +} + +make_target() { + mkdir -p bin + ${GOLANG} build -mod=mod -modfile=vendor.mod -v -o bin/dockerd -a -tags "${PKG_MOBY_BUILDTAGS}" -ldflags "${LDFLAGS}" ./cmd/dockerd +} + +makeinstall_target() { + : +} diff --git a/packages/addons/addon-depends/docker/moby/patches/moby-001-user-addon-storage-location.patch b/packages/addons/addon-depends/docker/moby/patches/moby-001-user-addon-storage-location.patch new file mode 100644 index 0000000000..6354be2fb8 --- /dev/null +++ b/packages/addons/addon-depends/docker/moby/patches/moby-001-user-addon-storage-location.patch @@ -0,0 +1,284 @@ +# when updating this patch just create it from scratch using this command +# +# find . -name "*.go" -print | xargs sed -i 's/\/etc\/docker/\/storage\/.kodi\/userdata\/addon_data\/service.system.docker\/config/g' +# +# +diff -Naur a/cmd/dockerd/daemon_unix.go b/cmd/dockerd/daemon_unix.go +--- a/cmd/dockerd/daemon_unix.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/cmd/dockerd/daemon_unix.go 2022-06-07 14:28:05.510327911 -0700 +@@ -25,7 +25,7 @@ + + func getDefaultDaemonConfigDir() (string, error) { + if !honorXDG { +- return "/etc/docker", nil ++ return "/storage/.kodi/userdata/addon_data/service.system.docker/config", nil + } + // NOTE: CLI uses ~/.docker while the daemon uses ~/.config/docker, because + // ~/.docker was not designed to store daemon configurations. +diff -Naur a/integration/plugin/authz/authz_plugin_test.go b/integration/plugin/authz/authz_plugin_test.go +--- a/integration/plugin/authz/authz_plugin_test.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/integration/plugin/authz/authz_plugin_test.go 2022-06-07 14:28:05.570328822 -0700 +@@ -56,15 +56,15 @@ + ctrl = &authorizationController{} + teardown := setupTest(t) + +- err := os.MkdirAll("/etc/docker/plugins", 0755) ++ err := os.MkdirAll("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins", 0755) + assert.NilError(t, err) + +- fileName := fmt.Sprintf("/etc/docker/plugins/%s.spec", testAuthZPlugin) ++ fileName := fmt.Sprintf("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins/%s.spec", testAuthZPlugin) + err = os.WriteFile(fileName, []byte(server.URL), 0644) + assert.NilError(t, err) + + return func() { +- err := os.RemoveAll("/etc/docker/plugins") ++ err := os.RemoveAll("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins") + assert.NilError(t, err) + + teardown() +diff -Naur a/integration/plugin/graphdriver/external_test.go b/integration/plugin/graphdriver/external_test.go +--- a/integration/plugin/graphdriver/external_test.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/integration/plugin/graphdriver/external_test.go 2022-06-07 14:28:05.570328822 -0700 +@@ -80,7 +80,7 @@ + + sserver.Close() + jserver.Close() +- err := os.RemoveAll("/etc/docker/plugins") ++ err := os.RemoveAll("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins") + assert.NilError(t, err) + } + +@@ -345,10 +345,10 @@ + respond(w, &graphDriverResponse{Size: size}) + }) + +- err = os.MkdirAll("/etc/docker/plugins", 0755) ++ err = os.MkdirAll("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins", 0755) + assert.NilError(t, err) + +- specFile := "/etc/docker/plugins/" + name + "." + ext ++ specFile := "/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins/" + name + "." + ext + err = os.WriteFile(specFile, b, 0644) + assert.NilError(t, err) + } +diff -Naur a/integration-cli/docker_cli_daemon_test.go b/integration-cli/docker_cli_daemon_test.go +--- a/integration-cli/docker_cli_daemon_test.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/integration-cli/docker_cli_daemon_test.go 2022-06-07 14:28:05.556328610 -0700 +@@ -558,12 +558,12 @@ + + func (s *DockerDaemonSuite) TestDaemonKeyGeneration(c *testing.T) { + // TODO: skip or update for Windows daemon +- os.Remove("/etc/docker/key.json") ++ os.Remove("/storage/.kodi/userdata/addon_data/service.system.docker/config/key.json") + c.Setenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE", "1") + s.d.Start(c) + s.d.Stop(c) + +- k, err := libtrust.LoadKeyFile("/etc/docker/key.json") ++ k, err := libtrust.LoadKeyFile("/storage/.kodi/userdata/addon_data/service.system.docker/config/key.json") + if err != nil { + c.Fatalf("Error opening key file") + } +@@ -1212,13 +1212,13 @@ + Y string `json:"y"` + } + +- os.Remove("/etc/docker/key.json") ++ os.Remove("/storage/.kodi/userdata/addon_data/service.system.docker/config/key.json") + c.Setenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE", "1") + s.d.Start(c) + s.d.Stop(c) + + config := &Config{} +- bytes, err := os.ReadFile("/etc/docker/key.json") ++ bytes, err := os.ReadFile("/storage/.kodi/userdata/addon_data/service.system.docker/config/key.json") + if err != nil { + c.Fatalf("Error reading key.json file: %s", err) + } +@@ -1238,11 +1238,11 @@ + } + + // write back +- if err := os.WriteFile("/etc/docker/key.json", newBytes, 0400); err != nil { ++ if err := os.WriteFile("/storage/.kodi/userdata/addon_data/service.system.docker/config/key.json", newBytes, 0400); err != nil { + c.Fatalf("Error os.WriteFile: %s", err) + } + +- defer os.Remove("/etc/docker/key.json") ++ defer os.Remove("/storage/.kodi/userdata/addon_data/service.system.docker/config/key.json") + + if err := s.d.StartWithError(); err == nil { + c.Fatalf("It should not be successful to start daemon with wrong key: %v", err) +diff -Naur a/integration-cli/docker_cli_external_volume_driver_test.go b/integration-cli/docker_cli_external_volume_driver_test.go +--- a/integration-cli/docker_cli_external_volume_driver_test.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/integration-cli/docker_cli_external_volume_driver_test.go 2022-06-07 14:28:05.556328610 -0700 +@@ -258,10 +258,10 @@ + send(w, `{"Capabilities": { "Scope": "global" }}`) + }) + +- err := os.MkdirAll("/etc/docker/plugins", 0755) ++ err := os.MkdirAll("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins", 0755) + assert.NilError(c, err) + +- err = os.WriteFile("/etc/docker/plugins/"+name+".spec", []byte(s.Server.URL), 0644) ++ err = os.WriteFile("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins/"+name+".spec", []byte(s.Server.URL), 0644) + assert.NilError(c, err) + return s + } +@@ -269,7 +269,7 @@ + func (s *DockerExternalVolumeSuite) TearDownSuite(c *testing.T) { + s.volumePlugin.Close() + +- err := os.RemoveAll("/etc/docker/plugins") ++ err := os.RemoveAll("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins") + assert.NilError(c, err) + } + +@@ -359,7 +359,7 @@ + + // Make sure a request to use a down driver doesn't block other requests + func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverLookupNotBlocked(c *testing.T) { +- specPath := "/etc/docker/plugins/down-driver.spec" ++ specPath := "/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins/down-driver.spec" + err := os.WriteFile(specPath, []byte("tcp://127.0.0.7:9999"), 0644) + assert.NilError(c, err) + defer os.RemoveAll(specPath) +diff -Naur a/integration-cli/docker_cli_network_unix_test.go b/integration-cli/docker_cli_network_unix_test.go +--- a/integration-cli/docker_cli_network_unix_test.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/integration-cli/docker_cli_network_unix_test.go 2022-06-07 14:28:05.558328640 -0700 +@@ -196,14 +196,14 @@ + } + }) + +- err := os.MkdirAll("/etc/docker/plugins", 0755) ++ err := os.MkdirAll("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins", 0755) + assert.NilError(c, err) + +- fileName := fmt.Sprintf("/etc/docker/plugins/%s.spec", netDrv) ++ fileName := fmt.Sprintf("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins/%s.spec", netDrv) + err = os.WriteFile(fileName, []byte(url), 0644) + assert.NilError(c, err) + +- ipamFileName := fmt.Sprintf("/etc/docker/plugins/%s.spec", ipamDrv) ++ ipamFileName := fmt.Sprintf("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins/%s.spec", ipamDrv) + err = os.WriteFile(ipamFileName, []byte(url), 0644) + assert.NilError(c, err) + } +@@ -215,7 +215,7 @@ + + s.server.Close() + +- err := os.RemoveAll("/etc/docker/plugins") ++ err := os.RemoveAll("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins") + assert.NilError(c, err) + } + +diff -Naur a/integration-cli/docker_cli_swarm_test.go b/integration-cli/docker_cli_swarm_test.go +--- a/integration-cli/docker_cli_swarm_test.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/integration-cli/docker_cli_swarm_test.go 2022-06-07 14:28:05.561328685 -0700 +@@ -770,14 +770,14 @@ + } + }) + +- err := os.MkdirAll("/etc/docker/plugins", 0755) ++ err := os.MkdirAll("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins", 0755) + assert.NilError(c, err) + +- fileName := fmt.Sprintf("/etc/docker/plugins/%s.spec", netDrv) ++ fileName := fmt.Sprintf("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins/%s.spec", netDrv) + err = os.WriteFile(fileName, []byte(url), 0644) + assert.NilError(c, err) + +- ipamFileName := fmt.Sprintf("/etc/docker/plugins/%s.spec", ipamDrv) ++ ipamFileName := fmt.Sprintf("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins/%s.spec", ipamDrv) + err = os.WriteFile(ipamFileName, []byte(url), 0644) + assert.NilError(c, err) + } +@@ -789,7 +789,7 @@ + setupRemoteGlobalNetworkPlugin(c, mux, s.server.URL, globalNetworkPlugin, globalIPAMPlugin) + defer func() { + s.server.Close() +- err := os.RemoveAll("/etc/docker/plugins") ++ err := os.RemoveAll("/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins") + assert.NilError(c, err) + }() + +diff -Naur a/libnetwork/drivers/remote/driver_test.go b/libnetwork/drivers/remote/driver_test.go +--- a/libnetwork/drivers/remote/driver_test.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/libnetwork/drivers/remote/driver_test.go 2022-06-07 14:28:05.586329065 -0700 +@@ -41,7 +41,7 @@ + } + + func setupPlugin(t *testing.T, name string, mux *http.ServeMux) func() { +- specPath := "/etc/docker/plugins" ++ specPath := "/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins" + if runtime.GOOS == "windows" { + specPath = filepath.Join(os.Getenv("programdata"), "docker", "plugins") + } +diff -Naur a/libnetwork/ipams/remote/remote_test.go b/libnetwork/ipams/remote/remote_test.go +--- a/libnetwork/ipams/remote/remote_test.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/libnetwork/ipams/remote/remote_test.go 2022-06-07 14:28:05.591329141 -0700 +@@ -36,7 +36,7 @@ + } + + func setupPlugin(t *testing.T, name string, mux *http.ServeMux) func() { +- specPath := "/etc/docker/plugins" ++ specPath := "/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins" + if runtime.GOOS == "windows" { + specPath = filepath.Join(os.Getenv("programdata"), "docker", "plugins") + } +diff -Naur a/libnetwork/libnetwork_unix_test.go b/libnetwork/libnetwork_unix_test.go +--- a/libnetwork/libnetwork_unix_test.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/libnetwork/libnetwork_unix_test.go 2022-06-07 14:28:05.592329156 -0700 +@@ -3,4 +3,4 @@ + + package libnetwork_test + +-var specPath = "/etc/docker/plugins" ++var specPath = "/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins" +diff -Naur a/pkg/plugins/discovery_unix.go b/pkg/plugins/discovery_unix.go +--- a/pkg/plugins/discovery_unix.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/pkg/plugins/discovery_unix.go 2022-06-07 14:28:05.615329505 -0700 +@@ -3,4 +3,4 @@ + + package plugins // import "github.com/docker/docker/pkg/plugins" + +-var specsPaths = []string{"/etc/docker/plugins", "/usr/lib/docker/plugins"} ++var specsPaths = []string{"/storage/.kodi/userdata/addon_data/service.system.docker/config/plugins", "/usr/lib/docker/plugins"} +diff -Naur a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go +--- a/pkg/plugins/plugins.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/pkg/plugins/plugins.go 2022-06-07 14:28:05.616329521 -0700 +@@ -4,7 +4,7 @@ + // Docker discovers plugins by looking for them in the plugin directory whenever + // a user or container tries to use one by name. UNIX domain socket files must + // be located under /run/docker/plugins, whereas spec files can be located +-// either under /etc/docker/plugins or /usr/lib/docker/plugins. This is handled ++// either under /storage/.kodi/userdata/addon_data/service.system.docker/config/plugins or /usr/lib/docker/plugins. This is handled + // by the Registry interface, which lets you list all plugins or get a plugin by + // its name if it exists. + // +diff -Naur a/registry/config_unix.go b/registry/config_unix.go +--- a/registry/config_unix.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/registry/config_unix.go 2022-06-07 14:28:05.626329672 -0700 +@@ -6,7 +6,7 @@ + // defaultCertsDir is the platform-specific default directory where certificates + // are stored. On Linux, it may be overridden through certsDir, for example, when + // running in rootless mode. +-const defaultCertsDir = "/etc/docker/certs.d" ++const defaultCertsDir = "/storage/.kodi/userdata/addon_data/service.system.docker/config/certs.d" + + // cleanPath is used to ensure that a directory name is valid on the target + // platform. It will be passed in something *similar* to a URL such as +diff -Naur a/registry/endpoint_v1.go b/registry/endpoint_v1.go +--- a/registry/endpoint_v1.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/registry/endpoint_v1.go 2022-06-07 14:28:05.627329688 -0700 +@@ -63,7 +63,7 @@ + if endpoint.IsSecure { + // If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry` + // in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP. +- return invalidParamf("invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host) ++ return invalidParamf("invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /storage/.kodi/userdata/addon_data/service.system.docker/config/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host) + } + + // If registry is insecure and HTTPS failed, fallback to HTTP. diff --git a/packages/addons/addon-depends/docker/moby/patches/moby-002-use-unconfined-seccomp-profile-as-default.patch b/packages/addons/addon-depends/docker/moby/patches/moby-002-use-unconfined-seccomp-profile-as-default.patch new file mode 100644 index 0000000000..13bc313578 --- /dev/null +++ b/packages/addons/addon-depends/docker/moby/patches/moby-002-use-unconfined-seccomp-profile-as-default.patch @@ -0,0 +1,22 @@ +--- a/daemon/config/config.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/daemon/config/config.go 2022-06-07 14:29:36.755713207 -0700 +@@ -59,7 +59,7 @@ + LinuxV2RuntimeName = "io.containerd.runc.v2" + + // SeccompProfileDefault is the built-in default seccomp profile. +- SeccompProfileDefault = "builtin" ++ SeccompProfileDefault = "unconfined" + // SeccompProfileUnconfined is a special profile name for seccomp to use an + // "unconfined" seccomp profile. + SeccompProfileUnconfined = "unconfined" +--- a/daemon/daemon_unix.go 2022-06-03 10:30:24.000000000 -0700 ++++ b/daemon/daemon_unix.go 2022-06-07 14:34:55.315558083 -0700 +@@ -1711,8 +1711,6 @@ + + func (daemon *Daemon) setupSeccompProfile() error { + switch profile := daemon.configStore.SeccompProfile; profile { +- case "", config.SeccompProfileDefault: +- daemon.seccompProfilePath = config.SeccompProfileDefault + case config.SeccompProfileUnconfined: + daemon.seccompProfilePath = config.SeccompProfileUnconfined + default: